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Abstract 

Reactivity is an essential property of a synchronous program. Informally, it guar- 
antees that at each instant the program fed with an input will 'react' producing an 
output. In the present work, we consider a refined property that we call feasible 
reactivity. Beyond reactivity, this property guarantees that at each instant both the 
size of the program and its reaction time are bounded by a polynomial in the size 
of the parameters at the beginning of the computation and the size of the largest 
input. We propose a method to annotate programs and we develop related static 
analysis techniques that guarantee feasible reactivity for programs expressed in the 
Svr-calculus. The latter is a synchronous version of the 7r-calculus based on the SL 
synchronous programming model. 

1 Introduction 

Mastering the computational complexity of programs is an important aspect of computer 
security with applications ranging from embedded systems to mobile code and smartcards. 
One approach to this problem is to monitor at run time the resource consumption and to 
rise an exception when some bound is reached. A variant of this approach is to instrument 
the code so that bounds are checked at appropriate time. An alternative approach is to 
analyse statically the program to guarantee that during the execution it will respect certain 
resource bounds. In other words, the first approach performs a dynamic verification while 
the second relies on a static analysis. As usual, the main advantage of the first approach 
is its flexibility while the advantage of the second approach is the fact that it does not 
introduce an overhead at run time and, perhaps more importantly, that it allows an early 
detection of 'buggy' programs. In this work, we will focus on the static analyses which 
offer the more challenging problems while keeping in mind that the two approaches are 
complementary. For instance, static analyses may be helpful in reducing the frequency of 
dynamic verifications. 
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When addressing the issue of resource control, there is a variety of properties of a 
program that one may check. Termination is probably the first one that comes to mind. 
However, in the context of interactive programs, this property should be refined into reac- 
tivity. In general, the set of reactive programs can be defined (co-inductively) as the largest 
set R of programs that terminate and such that each interaction with the environment leads 
to a program which is again in the set R. 

If a program manipulates data values of variable size such as lists, trees, graphs, . . . then 
the analysis can go beyond reactivity and, for instance, it can establish that the program 
reacts while using a feasible amount of resources where feasible can be understood, for 
instance, as computable in polynomial time. In this case, the analysis produces a function 
that bounds the time (or space) needed for the reaction depending on the size of certain 
parameters. 

There is a large collection of static analysis techniques (see, e.g., [HI [TJ [121 [131 [HI M 
that allow to establish feasible reactivity of functional programs. A common feature of 
these methods is the combination of traditional termination methods with what could be 
called a data-size flow analysis. By this we mean a method to describe how the size of the 
values computed by a program depends on the size of the values taken in input. 

In [HI [6] , we have started a research programme that aims at extending this approach 
to a synchronous, concurrent programming language. In the present work, we focus in 
particular on the S'vr-calculus [2J. This is a synchronous version of the vr-calculus [H] 
which is based on the SL (synchronous language) model [TOj. The latter can be regarded 
as a relaxation of the EsTEREL model [8] where the reaction to the absence of a signal 
within an instant can only happen at the next instant. Various full fledged concurrent and 
synchronous programming languages have been developed on top of the SL model (see, 
e.g., [ISl[I5]) and the S'vr-calculus can be regarded as a more refined model capturing some 
essential aspects of those languages. 

Our contribution includes (i) a methodology to annotate programs and (ii) related static 
analysis methods that guarantee feasible reactivity for finite control programs expressed in 
the Svr-calculus. 

Programs come with two kinds of annotations that concern thread identifiers and sig- 
nals. A characteristic of synchronous programs is that each thread performs some set of 
actions in a cyclic way. A cycle is different from an instant in that it can span several 
instants (possibly an unbounded number of them). We require that a subset of the thread 
identifiers mark the end of a cycle and the beginning of a new one. This annotation has no 
effect on the operational semantics but it is used to produce certain static conditions. The 
first condition is what we call the read once condition. Informally, this condition requires 
that each thread within each cycle can only read a finite number of signals. The technical 
consequence of this restriction is that the behaviour of a thread within an instant can be 
described as a function of its parameters and the (finitely many) values read within the 
same cycle. 

Thread identifiers carry two additional annotations. A basic goal is to show that each 
instant terminates. We are then naturally lead to compare thread identifiers and their 
parameters according to some suitable well-founded order. For this reason we assume 
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that each thread identifier is annotated with a status that describes how its parameters 
should be compared (typically, according to a lexicographic or multi-set order). Another 
important goal towards feasible reactivity, is to show that the parameters of a thread are 
in a sense non-size increasing. It turns out that it is not always appropriate to consider all 
parameters and therefore we require that we explicitly associate with each thread identifier 
the (possibly proper) subset of parameters that should be considered in the analysis of its 
size. To summarise, a thread identifier has three kinds of annotations: one saying whether 
it marks the end of a cycle, another, that we call status, describing how its parameters 
have to compared for termination analysis, and a final one specifying the subset of the 
parameters that are relevant to the computation of its size. 

On one hand, a program should be allowed to emit values on a signal that depend on 
values read on other signals. On the other hand, we want to avoid situations where, for 
example, a program repeatedly reads a value on a signal and emits a larger value on the 
same signal. To address this issue, we assume that signal names are partitioned into a 
finite number of regions which are ordered. More precisely, we refine the type system so 
that signal types come with a region p as in the type Sigp{t). In other terms, the type 
of a signal name explicitly carries the information on the region to which the signal name 
belongs. Again, this annotation does not affect the operational semantics but it is used 
in the generation of static conditions that guarantee feasible reactivity. Informally, the 
condition states that the size of a value emitted on a signal at region p is bound by a 
function of the size of the values read from signals of smaller regions. 

Next, we move on to an informal description of the static conditions. First of all, we 
have to find an abstract way to describe the data-size fiow of a program. To this end, 
we import and adapt the concept of quasi-interpretation that has been proposed in the 
context of the analysis of the computational complexity of first-order functional programs 
[HI S]. As a second step, we describe a method to associate with a program a finite set 
of inequalities on first-order terms and prove that whenever these inequalities are satisfied 
by a (polynomially bounded) quasi-interpretation the program is feasibly reactive. The 
inequalities can be classified in three categories according to their purpose which is to 
ensure: (1) the termination of each instant, (2) that the size of the parameters of a thread 
at the beginning of each cycle is non-size increasing, (3) that the size of the values computed 
by a thread within a cycle is bounded by a polynomial in the size of the parameters of the 
thread and the size of the values read on the signals within the cycle. Obviously, these 
inequalities depend on the signal and thread annotations we described above. 

The rest of the paper is organised as follows. In section [2] we introduce the syntax of 
the S'vr-calculus along with some programming examples and an informal comparison with 
the TT-calculus. In section [3l we provide the formal reduction semantics of the S'vr-calculus 
and we introduce the notion of feasible reactivity. In section |U we define the different 
kinds of thread and signal annotations mentioned above, we show how to associate a set of 
inequalities with an annotated program, and we introduce the notion of assignment which 
provides an interpretation of the inequalities in terms of numerical functions. A quasi- 
interpretation is a polynomially bounded assignment which satisfies the inequalities. Our 
main result states that a program that admits a quasi-interpretation is feasibly reactive. 
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We devote section [5] to an outline of the proof techniques leaving the details in an appendix. 

2 The S'TT-calculus 

We introduce the syntax of the S'vr-calculus along with some programming examples and 
an informal comparison with the vr-calculus. 

2.1 Programs 

Programs P, Q , . . . in the S'vr-calculus are defined as follows: 

P ::= I A{e) \ se || s{x).P,K\ [si = S2] Pi,P2 \[u>p] Pi,P2 \usP\P1\P2 
K :■= A{y) 

We use the notation m for a vector mi, . . . , m„, n > 0. The informal behaviour of programs 
follows. is the terminated thread. A{e) is a (tail) recursive call of a thread identifier A 
with a vector e of expressions as argument; as usual the thread identifier A is defined by 
a unique equation A(x) = P such that the free variables of P occur in x. se evaluates 
the expression e and emits its value on the signal s. s{x).P,K is the present statement 
which is the fundamental operator of the SL model. If the values vi, . . . ,Vn have been 
emitted on the signal s then s{x).P, K evolves non-deterministically into [vi/x\P for some 
Vi ([-/-] is our notation for substitution). On the other hand, if no value is emitted then 
the continuation K is evaluated at the end of the instant, [si = S2] P11P2 is the usual 
matching function of the 7r-calculus that runs Pi if Si = S2 and P2, otherwise. Here both 
Si and S2 are free, [u > p] Pi, P2, matches u against the pattern p. We assume u is either 
a variable a; or a value v and p has the shape c(p), where c is a constructor and p is a 
vector of patterns. We also assume that if u is a variable x then x does not occur free 
in Pi. At run time, u is always a value and we run aPi if a is the substitution matching 
u against p if it exists, and P2 otherwise. Note that as usual the variables occurring in 
the pattern p (including signal names) are bound, vs P creates a new signal name s and 
runs P. (Pi I P2) runs in parallel Pi and P2. The continuation K is simply a recursive 
call whose arguments are either expressions or values associated with signals at the end of 
the instant in a sense that we explain below. We will also write pause. for vs s{x).Q,K 
with s not free in K. This is the program that waits till the end of the instant and then 
evaluates K. 



4 



2.2 Expressions 

The definition of programs relies on the following syntactic categories: 



Sig : 






(signal names) 


Var : 


■.^ S^g\x\y\z\■■■ 




(variables) 


Cnst : 


■.— * 1 nil 1 cons c | d • • • 




(constructors) 


Val : 


:= Sig 1 Cnst{Val,..., Val) 




(values V, v', . . .) 


Pat : 


:= Var || Cnst{Pat, Pat) 




(patterns p,p', . . .) 


Fun : 


:=/UI|--- 




(first-order function symbols) 


Exp : 


:= Var Cnst{Exp, . . . , Exp) 


Fun {Exp, . 


. , Exp) (expressions e, e', . . .) 


Rexp : 


:— \Sig 1 Var \ Cnst{Rexp, . . . 


, Rexp) 






Fun{Rexp, . . . , Rexp) 




(exp. with deref. r, r', . . .) 



As in the vr-calculus, signal names stand both for signal constants as generated by the u 
operator and signal variables as in the formal parameter of the present operator. Variables 
Var include signal names as well as variables of other types. Constructors Cnst include *, 
nil, and cons. Values Val are terms built out of constructors and signal names. The size of 
a value \v\ is defined as \s\ = |c| = if c is a constant, and \c{vi, . . . , f„)| = 1 + 
if n > 1. Patterns Pat are terms built out of constructors and variables (including signal 
names). We assume first-order function symbols f,g, . . . whose behaviour will be defined 
axiomatically. Expressions Exp are terms built out of variables, constructors, and func- 
tion symbols. Finally, Rexp are expressions that may include the value associated with 
a signal s at the end of the instant (which is written !s, following the ML notation for 
dereferenciation). Intuitively, this value is a list of values representing the set of values 
emitted on the signal during the instant. If P,p are a program and a pattern then we 
denote with fn{P),fn{p) the set of free signal names occurring in them, respectively. We 
also use FV{P), FV{p) to denote the set of free variables (including signal names). 

2.3 Typing 

Types include the basic type 1 inhabited by the constant * and, assuming t is a type, the 
type Sig{t) of signals carrying values of type t, and the type list{t) of lists of values of 
type t with constructors nil and cons. In the examples, it will be convenient to abbreviate 
cons(t'i, . . . , cons(v„, nil) . . .) with [vi; . . . ;Vn]. 1 and list{t) are examples of inductive types. 
More inductive types (booleans, numbers, trees,. . .) can be added along with more con- 
structors. We assume that variables (including signals), constructor symbols, and thread 
identifiers come with their (first-order) types. For instance, a constructor c may have a 
type (^1,^2) 'I meaning that it waits two arguments of type ti and ^2 respectively and 
returns a value of type t. It is then straightforward to define when a program is well-typed 
and verify that this property is preserved by the following reduction semantics. We just 
notice that if a signal name s has type Sig{t) then its dereferenced value !s should have type 
list{t). In the following, we will tacitly assume that we are handling well typed programs, 
expressions, substitutions,. . . 
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2.4 Comparison with the 7r-calculus 

The syntax of the S'Tr-calculus is similar to the one of the 7r-calculus, however there are 
some important semantic differences to keep in mind. 

Deadlock vs. End of instant. What happens when all threads are either terminated or 
waiting for an event that cannot occur? In the vr-calculus, the computation stops. In the 
S'TT-calculus (and more generally, in the SL model), this situation is detected and marks 
the end of the current instant. Then suspended threads are reinitialised, signals are reset, 
and the computation moves to the following instant. 

Channels vs. Signals. In the 7r-calculus, a message is consumed by its recipient. In the 
5'7r-calculus, a value emitted along a signal persists within an instant and it is reset at the 
end of it. We note that in the semantics the only relevant information is whether a given 
value was emitted or not, e.g., we do not distinguish the situation where the same value is 
emitted once or twice within an instant. 

Data types. The (polyadic) 7r-calculus has tuples as basic data type, while the 5'7r-calculus 
has lists. The reason for including lists rather than tuples in the basic calculus is that at 
the end of the instant we transform a set of values into a suitable data structure (in our 
case a list) that represents the set and that can be processed as a whole in the following 
instant. Note in particular, that the list associated with a signal is nil if and only if no 
value was emitted on the signal during the instant. This allows to detect the absence of a 
signal at the end of the instant. 

We consider a simple example that illustrates our discussion. Assume Vi ^ V2 are two 
distinct values and consider the following program in Stt: 

P^usi,S2{ s^vi I slV2 I si{x). (gi(y). {s2{z). A{x,y) ,B{\si) ) J)) ^ ) 

If we forget about the underlined parts and we regard Si, S2 as channel names then P could 
also be viewed as a 7r-calculus process. In this case, P would reduce to 

Pi = z/Si,S2 {s2{z).A{a{x),a{y)) 

where o" is a substitution such that a{x),a{y) G {^1,^2} and ^{x) ^ cr(y)- In Stt, signals 
persist within the instant and P reduces to 

P2 = usi,S2 {s^vi I s^V2 I {s2{z).A{a{x),a{y)),B{\si))) 

where a{x),a{y) e {vi,V2}. What happens next? In the 7r-calculus, Pi is deadlocked and no 
further computation is possible. In the S'vr-calculus, the fact that no further computation 
is possible in P2 is detected and marks the end of the current instant. Then an additional 
computation represented by the relation 1— > moves P2 to the following instant: 

P2 1-^ P2 = ^^1' •^2 B(v) 

where v e {[i'i;i'2], [i'2;i'i]}- Thus at the end of the instant, a dereferenced signal such as 
!si becomes a list of (distinct) values emitted on si during the instant and then all signals 
are reset. 
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2.5 Programming examples 

We introduce a few programming examples on which we will rely in the following to illus- 
trate our static analysis techniques. 

Example 1. The synchronous model is particularly adapted to the simulation of various 
kinds of systems (we refer to 117] for a number of examples). Here, we describe the be- 
haviour of a cell of a generic cellular automaton. Each cell relies on three parameters: its 
own activation signal s, its state q, and the list I of activation signals of its neighbours. 
The cell performs the following operations in a cyclic fashion: (i) it emits its current state 
on the activation signals of its neighbours, (ii) it suspends for the current instant, and (Hi) 
it collects the values emitted by its neighbours and computes its new state. This behaviour 
can be programmed as follows: 

Cell{s,q,i) = Send{s,q,i,i) 

Send{s,qJ,i') = [i' > cons{s' , £")] {7q \ Send{s,q, £,£")), 

pause. Ce//(s, next{q, Is), £) 

where next is a function that computes the following state of the cell according to its current 
state and the state of its neighbours. We assume some finite enumerated type 'state' that 
contains a constant for each state. The type of the signals s, s' is Sig{state), the type of the 
lists £,£' is list {Sig (state)) , and the type of the function next is state, list{state) — > state. 

Example 2. This example describes a 'server' handling a list of requests emitted in the 
previous instant on the signal s. For each request of the shape req(s',x), it provides an 
answer which is a function of x along the signal s'. 

Server{s) = pause. Handle{s, \s) 

Handlers, £) = [I > cons{req{s' , x) , £')] {s' f{x) \ Handlers, £')), Server{s) 

Assume the function f has type t ^ t' and assume an inductive type treq with a constructor 
req : Sig{t'),t — >• treq. Then the parameters s have type Sig{treq) and the lists £,£' have 
type list {treq). 

Example 3. This example describes two threads: the thread A{s) re-emits on s the values 
that were emitted on s in the previous instant while the thread C{s) emits a (fresh) value 
on s. 

A{s) = pause. B{s, Is) 

Bis, £) =[£> cons(n, £')] (sn \ B{s, £')), A{s) 

C{s) = un In \ pause. C(s) 

Assuming n has type Sig{l), s has type Sig{Sig{l)) , and the list £ has type list{Sig{l)) . 

3 Reduction semantics and feasible reactivity 

We provide the formal reduction semantics of the S'vr-calculus and we introduce the notion 
of feasible reactivity. 
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3.1 Expression evaluation 



We assume an evaluation relation JJ- such that for every function symbol / and val- 
ues vi,...,Vn of suitable type there is a unique value v such that f{vi, . . . ,Vn) JJ- v, 
fn{v) C Uj^^ ^fn{vi), and moreover we suppose that the value v can be computed in 
time polynomial in the size of the values Vi, . . . .v^- As already mentioned, the techniques 
for defining first-order functional programs that enjoy these properties are well-studied. 
The evaluation relation J| is extended to expressions as usual: 

ejij-Vj i= l,...,n ejij^Vi i = l,...,n f{vi,...,Vn)il^v 

sij^s c{ei,...,en) ij-c{vi,...,Vn) /(ei, . . . ,e„) J| w 

We will abbreviate ei J| i)!, . . . , e„ JJ- v„ with e J| v. 



3.2 Reduction semantics 

The (internal) behaviour of a program is specified by (i) a reduction system — > describing 
the possible reductions of the program during an instant and (ii) an evaluation relation ^ 
determining how a program evolves at the end of each instant. These definitions rely on a 
structural equivalence relation = that we introduce first. 



3.2.1 Structural equivalence 

The structural equivalence = is the least equivalence relation on programs that identifies 
programs up to a-renaming and that satisfies the following standard equations: 

P I = P, Pi I P2 = ^2 I Pi, (Pi I P2) I P3 = Pi I {P2 I P3), 

US P = Piis^ fn{P), us Pi | P2 = us (Pi | P2) if s ^ /n(P2) . 



3.2.2 Reduction relation 

We introduce the following reduction rules: 



se I s{x).P, K —> se \ [v/x]P 

[s = s]Pi,P2^ Pi 

match{v,p) — a 
[v>p] Pi,P2^aPi 



A(x) = P e ^ V 
^(e) -> [v/x]P 

s ^ s' 
[s = s']Pi, P2 ^ P2 

match{v,p) undefined 

[V>p] Pi,P2^ P2 



A static context C is defined by C ::— [] \ us C \ {C \ P). The reduction relation 
defined by the rule: 

P = C[P'] P'^Q' C[Q']=Q 
P^Q 



is then 
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3.2.3 Suspension and evaluation at the end of the instant 

We write P | if -i3Q {P —>■ Q) and say that the program P is suspended. When P is 
suspended the instant ends and an additional computation is carried on to move to the 
next instant. This goes in three steps that amount to: (1) collect in lists the set of values 
emitted on every signal, (2) extrude the signal names contained in values visible at the end 
of the instant, and (3) initialise the continuations K of the present statements. 

To this end, we introduce first some notation. A suspended program P is structurally 
equivalent to: 

vs{S I In) (1) 

where the signal names s are all distinct, S = slei | ■ ■ ■ | s^e„. In = ti(xi).Pi, Ai(ri) | • ■ ■ | 
tm{xm)-Pm, Am{rm), and n, m > (by convention an empty parallel composition equals 
the program 0). We write se & S to mean that se occurs in the parallel composition S. 
We can now formalise the steps (1-3). 

1. Let ^ be a function from signal names to lists of values. We say that V represents S 
and write V \\—S if for all signal names s, if {vi, . . . , f„} = {v \ se G S, e i}^ v} then 
V{s) = [vn{i); ■ ■ ■ ; Vn{n)] for some permutation n. 

2. We define Free {us S) as the least set of signal names such that Free{us S) ^ fn{vs S) 
and if s G Free{vs S"), se G S", e 4 "^^5 and s' G fn{v) then s' G Free{vs S). For 
instance, Free^usi, S2 ssi \ 8182) = {s,si,S2}- 

3. If r is an expression with dereferenciation then V{r) is the expression resulting from 
the replacement of all dereferenced signals !s with V{s). If ^(r) is a continuation K 
of a present statement, where r are closed expressions, then Eval{A{r),V) = A(v) 
if V{r) J| V. Finally, if In is defined as in ([1]) then Eval{In,V) = Eval{Ai{ri),V) \ 
• • • I Eval{Ara{rm), V). 

With these conventions, we can now state the evaluation rule at the end of the instant: 

P i P = us{S\In) V \\-S {s'} = {s}\Free{iys S) P' = us'Evaljln, V) 

P^P' 

In this rule, (i) we decompose the suspended program in emissions and inputs, (ii) we 
compute a representation of the emission, (iii) we compute the signal names extruded, and 
finally (iv) we remove the emitted names and initialise the continuations of the present 
statements. 

3.3 Feasible reactivity 

At the beginning of each instant, a program receives an input that we may represent as a 
(fresh) thread identifier Env defined by the equation Env{) = 'siVi \ ■ ■ ■ \ 's^Vn- Then we 
write 

P^^P'ifP^ P" and P' = {P" I Env) 
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By the properties of the model, we may assume without loss of generality that in the input 
all values emitted on a signal s are distinct. 

Definition 1 (computation). A computation of a program P is an infinite and countable 
sequence of programs Pi, P2, . . . such that 

P^P,^ A P,.^ P,^^, . . . 

In general, the reduction of Pi, P^^+i, Pia+i, • • • may fail to reach the end of the instant. 
We call reactive the programs that are guaranteed to suspend. 

Definition 2 (reactivity). A program P is reactive if in all computations that start with 
P, the evaluation at the end of the instant occurs infinitely often. 

Example 4. With reference to the example\^ a possible computation of the program A{s) \ 
C{s) is as follows: 

A{s) I C{s) ^ pause. -B(s, !s) | vn^ suq \ pause. C(s) ^y^^ B{s, [no]) \ C{s) 

suq I pause. i?(s. Is) \ uui sni \ pause. C(s) ^^^^ B{s, [no; ui]) \ C{s) ■ ■ ■ 

In this case, we assume that the input at the beginning of each instant is empty, Envi{) = 
for 2 = 1,2,.... Note that the order of the signal names in the list i, which is a parameter 
of the identifier B, is chosen non-deterministically at the beginning of each instant. 

We assume that initially a program has the shape 

z/s(Ai(vi) I ■■■ I A„(v„)) (2) 

Then, by the definition of the present instruction and the input, a program will have this 
shape at the beginning of each instant, up to structural equivalence. The definition of 
feasible reactivity is relative to the size of the initial program and the size of the (largest) 
input. By convention, the size of a program with the shape ([2]) is n plus the sum of the 
sizes of the values vi, . . . , Vn. The size of an input Env defined by an equation Env = 
sTfi I ■ ■ ■ I 's^Vn is the size of the list [wi; . . . ; 

Definition 3 (feasible reactivity). A program P of the shape ^ is feasibly reactive if 
there exists a polynomial Q such that for every computation 

P — P P P P p 

if d bounds the size of P and the sizes of Envi, . . . , Envk for k > 1 then (i) Pi^.+i (the 
program at the beginning of the instant k) has size bounded by Q{d) and (ii) it is guaranteed 
to suspend in time less than Q{d), 

For instance, the program in example [3] fails to be feasibly reactive because the size of 
the parameter £ of the identifier B grows by one every instant. 
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4 Annotations and Constraints Generation 



Programs come with a finite system of recursive equations. Our static analysis actually 
concerns this system and it is independent of the particular program that is used to initialise 
the computation. The reader should keep in mind that the analysis of a program is actually 
the analysis of the associated system. We restrict our attention to finite control programs. 
To this end, we inspect the system of equations and we check that in each equation A{x.) = 
P, P cannot spawn two recursive calls that run in parallel. Also, the static analysis makes 
abstraction of the actual signal names while keeping track of the region they belong to. 
It will be convenient to suppose that the program does not contain trivial matchings such 
as a value matching a pattern ([f > Pi, P2) and the comparison of two identical names 
([s = s] Pi, P2). Such matchings can be removed by a trivial symbolic execution. 

4.1 Reset annotations and read once condition 

We denote with Reset a subset of the thread identifiers containing those thread identifiers 
that correspond to the beginning of a new 'cycle'. To be in Reset a thread identifier A has 
to satisfy one of the following conditions: either it is defined by an equation of the shape 
A{. . .) = pause. -f^ or all its occurrences in the program are in the else branch of a present 
statement. By these syntactic conditions, we guarantee that the end of a cycle for a given 
thread always entails the end of its computation for the current instant. For instance, in 
the example [21 it is natural to assume that Server G Reset and Handle ^ Reset. 

As we have seen, a program may read a signal during an instant with the present 
statement or at the end of the instant through dereferencing. The read once condition is 
the hypothesis that for every thread, in every cycle, there is a bound on the number of 
times the reading of a signal can be performed. Specifically, we require and statically check 
on the call graph of the program (see below) that the computation performed starting from 
any thread identifier can execute any given read instruction at most once within a cycle. 

1. We assign to every present statement and to every dereferencing in a program a 
distinct fresh label (a variable), y, and we collect all these labels in an ordered 
sequence, yi, . . . ,ym- In the following, we will use the notation s'^{x).P,K and 

to make the labels explicit. If r is a vector of expressions with dereferenciation, we 
denote with Lab{r) the finite set of labels that occur in r. 

2. With every thread identifier A defined by an equation A{x.) = P, we associate a node 
of the graph. We also introduce a fresh thread identifier O and a related node that 
plays the role of a sink in the call graph. 

3. We define a function Call that takes in input a program and a finite set of labels and 
produces in output a finite set of pairs composed of a thread identifier and a set of 
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labels. The function Call is defined as follows: 



Call{0,L) 
Call{se, L) 

Call{sy{x).P,A{r),L) 



{(0,1)} 

mi)} 

( Call{P,LU{y})U{{A,LULab{r))} 
{ Calllp,LU {y})U {lo,LULablr))} 



if A ^ Reset 
otherwise 



Call{[s, = S2]Pi,P2,L) 
Calli[x>p] Pi,P2,L) 
Call[Pi I P2, L) 
Calllus P,L) 



Call{A{e),L) 



( {{A,L)} if A ^ Reset 
\ {{0,L)} otherwise 
Call (Pi, L) U Call{P2,L) 
Call{Pi,L) U Call{P2,L) 
Call\Pi,L) U Call\P2,L) 
CalliP, L) 



4. Suppose the identifier A is defined by an equation A(x) = P and that C = Call{P, 0). 
We introduce an edge from A to an identifier B (possibly O) if {B, L) G C. In this 
case, we label the edge with the set |J{-^ I ^) ^ C}. 

5. We denote with R{A) the union of the sets of labels of the edges accessible from A 
and with the ordered sequence of labels in R[A). 

The definition of Call is such that for every sequence of calls in the execution of a 
thread within the cycle we can find a corresponding path in the call graph. 

Definition 4 (read once condition). A program satisfies the read once condition if in the 
call graph there are no loops that go through an edge whose label is a non-empty set. 

Note that while the number of reads is bounded by a constant, the amount of informa- 
tion that can be read is not. Thus, for instance, a 'server' thread can just read one signal 
in which is stored the list of requests produced so far and then it can go on scanning the 
list and replying to all the requests within the same instant. In the following, we will focus 
on programs that satisfy the read once condition. For such programs, we introduce for 
each thread identifier A with parameters x, a fresh thread identifier A'^ whose parameters 
are those of A plus the parameters that can be read within a cycle. The idea is that 
the behaviour generated by the thread identifier A within a cycle can be described as a 
function of its parameters x which are determined at the beginning of the cycle and the 
values y^ of the signals read within the cycle. We will also refer to x as proper parameters 
and to y^ as auxiliary parameters of the identifier A'^. 

Example 5. Consider exampleUl and suppose that Cell G Reset marks the end of a cycle 
and that the label associated with the dereferenciation is y. The graph resulting from the 
analysis has three nodes {Cell, Send, 0} and the following labelled edges: {Cell, ^, Send) , 
{Send, 0, Send) and {Send, {y}, O). The program satisfies the read once condition since the 
only possible loop, namely the one form Send to Send, is composed of edges (just one in 
this case) whose label is the empty set. Both Send'^ and Cell'^ have an auxiliary parameter 



y- 
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Next consider example and suppose that Server G Reset and the label associated 
with the dereferenciation is y. The call graph has three nodes Server, Handle, O and the 
following labelled edges: {Server, {y}. Handle) , {Handle,^, Handle) , and {Handle, (I), O). 
Again the read once condition is satisfied. Server^ has an additional parameter y while 
Handle'^ has no additional parameter. 

Finally, consider example and suppose that A,C E Reset and the label associated 
with the dereferenciation is y. The graph has four nodes: C,A,B,0 and the following 
labelled edges: {A,{y},B), {B,^,B), {B,^,0), and {C,0,C). In this case too, the read 
once condition is satisfied. A'^ has an additional parameter y while B^ and have no 
additional parameter. 

4.2 Status annotations 

We associate a status, either lexicographic {lex) or multi-set {mset), with every thread 
identifier. We assume that thread identifiers which are equivalent with respect to a pre- 
order >^ that we define below have the same arity and the same status. We note that this 
implies that A'^, B^ have the same arity too. 

To define the pre-order >p, we introduce first a call graph within an instant by modify- 
ing the definition given in section WA\ so that Call{A{e), L) = {{A, L)} and Call{s{x).P, K, 
L) = Call{P, L). Thus there is an edge from the identifier A to the identifier B if in the 
definition of A, say A{x.) = P, it is possible to call B within the same instant A is called. 
Second, we build the least pre-order (refiexive and transitive) >f over thread identifiers 
such that A >f B if there is an edge from A to -B in the call graph within an instant. We 
write A =F B if A>F B and B >f A, and A >f B ii A>f B and A^p B. The rank of 
the thread identifier A, noted rank {A), is the length of the longest chain A >f B >f ■ ■ ■ 

4.3 Parameter annotations 

One of our goals is to control the size of the proper parameters of a thread. However, it is 
sometimes appropriate to neglect some parameters. For instance, consider the example [21 
One of the parameters of the thread identifier Handle is a list i that is read on a signal s 
whose size is unrelated to the size of the parameter s of the thread identifier Server. We 
observe that the parameter i is needed by Handle to perform some computation and that 
this parameter is then neglected at the end of the cycle. We then introduce a mechanism 
to mask parameters such as i. Let be a fresh constant that stands for a parameter 
of size 0. If /i is a function of arity n and / C {1, . . . , ra} is a subset of its parameters 
then h{ei, . . . , e„)/ is defined as h{e[, . . . , e^) where e'^ = Ci if i E I and e[ = otherwise. 
Intuitively, in h{ei, . . . , en)i 'we set to 0' all arguments that are not in /. For each thread 
identifier A defining a behaviour of arity n, we assume a set Ia ^ {^, - ■ ■ ,n} with the 
condition that = {1, . . . , ra} if A marks the end of a cycle in the program (thus in the 
latter case, no parameter can be set to 0). Note that the mask acts only on the proper 
parameters of the identifier A and not on the auxiliary parameters corresponding to 
the values read within a cycle. 
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4.4 Signal annotations 

One purpose of the signal annotations is to reject programs such as the one in example [3l 
Let us consider in particular the thread A. At each instant, this thread re-emits on a signal 
s the values emitted on the same signal s at the previous instant. We want to reject this 
kind of behaviour while allowing -under suitable conditions- a slightly different behaviour 
where a thread emits on a signal s a series of values (possibly the same) that depend on 
the values emitted on a different signal s' at the previous instant. For instance, we want to 
be able to program a 'server' (cf. example [2]) that receives a series of requests at the end of 
the instant and produces a series of related answers in the following instant. The idea is to 
partition the signal names into a finite collection of regions. Then regions are ordered and 
the behaviour of the server described above is allowed if the signal s belongs to a region 
that is strictly below the region to which s' belongs. For instance, in the example [2], we 
emit on signal s' a value which depends on a value read on a signal s. If we admit that 
this value has arbitrary size then we should require that the signal s is associated with a 
region smaller than the region associated with s'. 

Formally, we assume a set of regions 71 = {pi, p2, . . .} with a strict order >ii and we 
denote with rank{p) the length of the longest sequence p >tz pi >ti ■ ■ ■ >ti pn- We assume 
that every signal type comes with a region annotation Sigp{t) so that the type of a signal 
name also provides the region to which the signal name belongs. In section 14.61 we will 
rely on these annotations to derive inequalities that guarantee that the size of the values 
emitted on a signal of region p can be bound as a function of the size of the values received 
on signals belonging to regions of smaller rank. 

4.5 Inequalities 

We rely on the annotations to produce a set of inequalities. We use the notation f for r 
where each l^s is replaced with y. Given a system of equations, for each thread identifier 
A defined by an equation A(x) = P, we compute Ci(P, y4+(x, y^)), with index i = 0, 1,2 
according to the rules described in table [H The definition of the functions Ci amounts 
to perform a 'symbolic execution' of the body P of the equation while keeping track of 
the shape of the parameters x and the values read y^. More precisely, the functions 
explore the finitely many control points of a computation starting with a recursive call 
to the thread identifier A. At some critical points, namely (i) when a value is emitted, 
(ii) when a value is received, and (iii) when a recursive call is executed, the functions Ci 
produce certain inequalities whose purpose is discussed next. 

4.5.1 Inequalities for termination of the instants 

In our model, the only way a computation may fail to be reactive is that a thread goes 
through a recursive call infinitely often within an instant. To avoid this situation, we have 
to make sure that whenever the identifiers Ai, . . . , An may call each other, a certain well- 
founded measure decreases. This is the purpose of the inequalities of index 0. Moreover, 
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[X>P] Pl,P2 
[Si = S2]Pl,P2 

(Pi I P2) 
US P' 

se, i = 0,1 
__,i = 2 

B{e),i = 
__,z = 2 

s2'(x).P',S(r),i = 



= case P of 



c,(Pi,A+([p/x]p))uc,(P2,A+(p)) 

c,(Pi,A+(p))uc,(P2,A+(p)) 

c,(Pi,A+(p))uc,(P2,A+(p)) 

C.(P',A+(p)) 


{A^{p)lP >2 e} s : 

if A >F P 

{A+(p) >o P+(e,yB)} otherwise 
:{A+(p),, >i B+{e,yB)iJ 

{A+{p)^p >2 P+(e, yB)ip I p e W(P)} P ^ i?e5et 

otherwise 
:Co([y/x]P',^+(p)) 

: C,([y/x]P',A+(p)) U {^+(p)7, >i B+{r,yB)jJ 
:C2([y/x]P',A+(p)) 

{A+(p)^, >2 P+(f , yB)ip I p e W(P)} P ^ iiese^ 



U 







otherwise 



Table 1: Inequahties of index 0, 1, 2 
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the inequalities will be interpreted so as to make sure that a decrement step can only be 
taken polynomially many times in the size of the values. 

Example 6. We rely on the call graphs computed in example For the example Ul 
we obtain: Send'^{s,q,i,cons{s',i"),y) >o Send~^{s,q,i,i",y), for the example\B, we ob- 
tain: Handle~^{s,cons{req{s',x),i')) >o Handle~^(s,i'), and for the example\^ we obtain: 
5+(s,cons(n,f)) >o B+{sJ'). 

4.5.2 Inequalities for size control at the beginning of a cycle 

The purpose of the inequalities of index 1 is to ensure that the size of the parameters of a 
thread at the beginning of a new cycle is bounded by a function (a polynomial) of the size 
of the initial parameters of the computation. Of course, a cycle starting with A may span 
several instants and may go through several recursive calls before a new cycle is started 
again. For this reason, the invariant we have to maintain concerns all recursive calls both 
within and at the end of the instant. 

Example 7. We rely again on the computation of the call graphs in example O For 
exampleUl assuming Iceii = {1,2,3} and Isend = {1,2,3,4} we obtain: 

Cell+{s, q, i, 0) >i Send+{s, q, i, £, 0), Send+{s, q, i, f , 0) >i CeU+{s, next{q, y)J, 0), 
Send+{s,q,i,cons{s',i"),0) >i Send+{s,q,i,i",0) . 

For examplel^ assuming Iserver = ^Handle = {1} we obtain: 

Server~^{s,0) >i Handle^{s,0), Handle^{s,0) >i Handle'^ {s,0), 
Handle^ {s,Q) >i Server^ {s,Q) . 

For examplelBi assuming Ia = Ib = Ic = {1}? we obtain: 

0) >i 0), 0) >i 0), B+{s, 0) >i 0), C+{s) >i C+(s) . 

4.5.3 Inequalities for size control within a cycle 

Finally, the purpose of the inequalities of index 2 is to ensure that the size of any value 
emitted during a cycle in a given region as well as the number of these emissions within 
an instant is polynomial in the size of the parameters at the beginning of the cycle, the 
inputs provided by the environment, and the size of the values read in regions of smaller 
rank. 

1. Given a thread identifier A, we compute an over approximation of the set of regions 
associated with an output within a cycle starting from A. To this end, we use the call 
graph defined in section WA\ and we compute all thread identifiers that are reachable 
from A within a cycle. Then we inspect the definition of each thread identifier 
(different from O) and determine the regions associated with the emissions that may 
arise in the definition. We denote with >V'(A) this set. Moreover, let py be a region 
whose rank is higher than the rank of all the regions used in the program and let 
W{A) equal {py} if W{A) = 0, and W{A) otherwise. 
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2. Let A he a thread identifier of arity n witli auxiliary parameters = yi, • • • , Vm- We 
can associate witli eacfi position 1, . . . , m in tlie list of auxiliary parameters a unique 
region 7(z) which is the region associated with the corresponding read instruction. 
Given a region p, we denote with | p the set of regions of rank smaller than p. In 
particular, if rank{p) = then we J, p = 0. Given a set M of regions we introduce 
the notation A~^{p)m for A'^{p)i where / = {1, . . . ,n} U {n + i \ 7(i) G M}. Thus, 
this amounts to set to all auxiliary parameters whose region is not in M. Note that 
this masking only affects the auxiliary parameters of the thread identifiers. 

Example 8. Consider exampleUl assuming all the signals on which the automata interact 
belong to the same region p. In this case, VV(Ce//) = yV{Send) = {p} and the resulting 
inequalities are: 

Cell+{s, g, e, 0) >2 Send+is, g, i, i, 0), 
Send+{s, q, i, cons(s', i"), 0) >2 Send+{s, q, £, i", 0), Send+{s, q, i, cons(s', i"), 0) >2 q ■ 

Next consider example assuming the region p of the signal on which the Server receives 
the requests is below the region p' of the signals on which it provides an answer. In this 
case, W^Server) = W{Handle) = {p'} and the resulting inequalities are: 

Server^ {s,y) >2 Handle^ {s,y), Handle^ {s,cons{req{s',x),i')) >2 Handle^ {s, i'), 

Handle~^{s,cons{req{s',x),i')) >2 f{x) . 

Finally, consider example{^ Here we have just one signal belonging, say, to a region p. In 
this case, }V{A) = W{B) = VV(C) = {p} and the resulting inequalities are: 

A+{s, 0) >2 B+{s, y), B+{s, cons(n, f )) >2 B+{s, f ), B+{s, cons(n, £')) >2 n, 

C+{s) >2 C+is), C+is) >2 n . 

We anticipate that the inequality A~^{s,0) >2 B^{s,y) is not going to be satisfiable since 
A does not depend on y which is a list of arbitrary size. 

4.6 Assignments and quasi-interpretations 

We introduce first the notion of assignment which interprets the inequalities in terms of 
certain numerical functions. A quasi-interpretation is then an assignment that satisfies the 
inequalities associated with the program. 

4.6.1 Assignments 

Let h denote either a constructor c or a function symbol / or a thread identifier A~^. An 
assignment associates with each symbol h of arity n of the program a function qh : N" — N 
subject to a series of conditions that we specify below. 

First we have to introduce some notation. Let E denote a formula which is either an 
expression e or the application of a thread identifier to expressions ^'''(ei, . . . , e^). Suppose 
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E contains the variables xi,. . . ,Xn- Once an assignment is fixed, we can associate with 
E a function over the natural numbers of arity n by defining q^. = Xi and qh{ei,...,e„) = 
QhiQei, ■ ■ ■ , Qcn)- particular, we note that if f is a value then is a numerical constant. 

A ground substitution is a substitution that associates values with variables (while 
respecting the types). Given two formulae Ei, E2, we write q \= Ei > E2 {q \= Ei > E2) if 
for all ground substitutions a, q^Ei > <laE2 ilaEi > Q'cr£2)0 

We will also compare vectors of formal expressions. For lexicographic comparison, we 
write q \= {Ei, . . . , En) >iex {E[, . . . , E'^) if there is an i < such that q \= Ej > E'- for 
i = 1, . . . ,i — l and q \= Ei > E[. For multi-set comparison, we write q \= {Ei, . . . , En) >mui 
{E'l,..., E'n) if for all ground substitutions a, {\qaE^,- ■ ■ , QaEj} >Zset {Iq^e^, ■ ■ ■ , g^sj}, 
where {| . . . |} is our notation for multi-sets and >mset is the well-founded multi-set order 
over the finite multi-sets of natural numbers. We notice the following simple combinatorial 
fact about lexicographic and multi-set orders which is instrumental to establish polynomial 
time termination. 

Lemma 1. Suppose Oi, . . . , a„, c are natural numbers and ai, . . . , a„ < c. Then the length 
of any strictly decreasing sequence of the shape (oi, . . . , a„) >iex {bi, ■ ■ ■ , bn) >iex ■ ■ " or of 
the shape {|ai, . . . , a„|} >^,,j . . . , >^,,j ■ ■ ■ zs bounded by c". 

Definition 5. An assignment should satisfy the following conditions. 

(1) If s is a signal name or c is a constructor with arity then qs = qc = 0. Otherwise, if 
c is a constructor with positive arity n then qc = + ^^Xj for some natural number 
4 > 1. 

(2) For all symbols h of arity n it holds that: (i) q |= h{xi, . . . , x„) > Xi fori = 1, . . . ,n and 
(a) qh is monotonic, i.e., aj > bj for j = 1, . . . ,n implies qh{cLi, • • • , dn) > Ihibi, . . . ,bn)- 

(3) Let f be a function symbol of arity n. Then /(f 1, . . . , Vn) JJ- v implies that qf{vi,...,v„) ^ 

It follows from condition (1) that there is a constant k > 1 (that can be taken as the 
largest additive constant dc) such that for any value v, \v\ < q^ < k ■ \v\. Also note that 
condition (1) implies condition (2) for constructors. 

The definition of an assignment q ensures that ae JJ- v implies q^e > Qv- We say that a 
function [/ : N — > N bounds the assignment q if for all symbols h and all natural numbers 
n it holds that qh{n, . . . ,n) < U{n). We say that an assignment is polynomially bounded 
if it can be bound by a function U which is a polynomial. In the following, we will restrict 
our attention to polynomially bounded assignments. 

^Sometimes, a stronger definition of satisfaction is considered that requires e.g., q^^ > where 
QEi,<1E2 ^-re regarded as functions over the natural numbers. We prefer the definition based on ground 
substitutions because it allows to exploit some information on the data size. For instance, we may satisfy 
a constraint f{x) > c{x, y) if we know that all the values that may replace y have bounded size. On the 
other hand, with the stronger definition such constraint cannot be satisfied. 
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4.6.2 Quasi-interpretations 

A quasi-interpretation is a polynomially bounded assignment which satisfies the constraints 
of index 0, 1, 2. 

Definition 6 (quasi-interpretation). An assignment q is a quasi-interpretations if: 

(1) For all constraints of the shape A^{pi, . . . >o B^{ei, . . . , e„) where A =p B , with 
status st, we have: 

q h (Pi, • • • >st (ei, . . . ,e„) . 

(2) For all constraints of the shape y4+(pi, . . . >j i?+(ei, . . . , Cm) (i = 1,2) and 
A~^{pi, . . . ,pn) >2 e we have: 

q \= ...,Pn)> B^{ei, ...,em) and q \= v4+(pi, . . . > e . 

Example 9. Consider exampleU\ and assume that we attribute the lexicographic status to 
Cell and Send. We note that Cell >f Send. The inequality of index is satisfied because 
the quasi-interpretation of cons{s' , i" ) is always strictly larger than the quasi-interpretation 
of £" . To satisfy the remaining inequalities of index 1,2 it suffices to interpret Cell^ 
and Send^ as the maximum function, noticing that next{q,y) is always a state which is 
represented by a constant of size 0. 

Next, consider example\E and assume lexicographic status for the thread identifiers. We 
note that Handle >f Server. Again the inequality of index is satisfied because the quasi- 
interpretation of cons{rec\{s' , x) , £') is always larger than the quasi-interpretation of i' . To 
satisfy the inequalities of index 1,2,3 it suffices to suppose that the quasi-interpretation 
of Handle^ and Server^ is a function : ^ N such that g{0,x) is pointwise larger 
than the quasi-interpretation of the function f. Finally, consider example\^ We note that 
A >F B. We can satisfy the inequalities of index 0, 1 but as anticipated there is no way the 
inequality A'^{s,0) >2 B^{s,y) can be satisfied since y ranges over lists of arbitrary size. 

We can now state our main result whose proof will be discussed in the following section 

El 

Theorem 1. A program that admits a polynomial quasi-interpretation is feasibly reactive. 

5 Proofs outline 

We are given a finite system of recursive equations. The initial configuration of a program 
relatively to such a system has the shape: R = us {Ai{yi) \ ■ ■ ■ \ A„(v„)). Since we have 
assumed that the system is finite control during the computation we will have at most n 
main parallel threads plus a variable number of auxiliary threads that may just branch 
and emit signals and that disappear at the end of each instant. Of course one of our goals 
is to show that this variable number of threads can be polynomially bounded. 
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Lemma 2. Let R be a program admitting a polynomial quasi-interpretation. There is a 
polynomial Q{x) such that if c bounds the size of R, the size of the inputs, and the sizes 
of the parameters of all calls within a given instant then the program in that instant will 
suspend in time less than Q{c). 

The computation performed by the program is simply the interleaving of the compu- 
tations performed by the n main threads. It is clear that the computation a thread may 
perform within an instant before running a recursive call is polynomially bounded in c. 
Thus it is enough to show that each thread may perform at most polynomially many re- 
cursive calls before suspending and to this end we rely on the inequalities of index and 
the lemma [H Note that the size and the number of the values emitted during the instant 
is polynomial in c and that therefore their concatenation in a list has size polynomial in 
c too. We anticipate that the proof we have sketched of the lemma [2] actually shows that 
each thread whose parameters and inputs are bound by c will suspend in time polynomial 
in c. 

Lemma 3. Let R be a program admitting a polynomial quasi-interpretation. There is a 
polynomial Q{x) such that ifc bounds the size of R and A G Reset then, in all computations 
of R, the sizes of the parameters in every call to A are bounded by Q{c). 

The inequalities of index 1 guarantee that a computation that starts with -B(v) will 
have the property that -B(v) will 'dominate' (up to quasi-interpretation and modulo the 
parameter annotations) all the following calls A{u) including those that correspond to a 
reset point and in this case all parameters of the call are taken into account by the definition 
of /a. 

Lemma 4. Let R be a program admitting a polynomial quasi-interpretation. There exists 
a polynomial Q{x) such that in every computation 

if c bounds the size of R and of the inputs Envi, . . . , Envk for k > then the size of every 
value computed within the instant k is bounded by Q{c). 

First of all we show by induction on the rank of a region that the size of every value 
computed in that region is polynomial in c. 

If the region p has rank the inequalities of index 2 (in the case where all airxiliary 
parameters are set to 0) guarantee that (i) the size of an emitted value and (ii) the size 
of a parameter in a recursive call to a thread identifier that may emit on the region p is 
polynomial in the parameters at the beginning of a cycle. Now, by lemma [31 the size of 
the parameters at the beginning of a cycle is polynomial in c. Thus from (the proof of) 
lemma [2], we can derive that the number of values emitted is polynomial in c. We can 
then conclude that all the values emitted or computed at the end of the instant by list 
concatenation have a size that is polynomial in c. 
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Next suppose the region p has rank greater than 0. This time the inequahties of index 
2 (in the case where we restrict the auxihary parameters to those that depend on regions 
of rank strictly smaller than p) guarantee that (i) the size of an emitted value and (ii) the 
size of a parameter in a recursive call to a thread identifier that may emit on the region p, 
is polynomial in the size of the parameters at the beginning of a cycle and the values read 
from regions strictly smaller than p. Using the fact that the composition of polynomials 
is again a polynomial we can appeal again to lemmas [2] and [3] to conclude that all values 
emitted or computed at the end of the instant by list concatenation in the region p have a 
size that is polynomial in c. 

There is one situation that remains to be considered. The computation may reach a 
thread identifier that that does not emit any value within its current cycle. By lemma [2], it 
is enough to make sure that the size of its parameters is polynomial in c. This is guaranteed 
again by the inequalities of index 2 since by convention a region with the largest rank is 
in W{B). 

Thus we have shown that the size of the values is polynomial in the size of the initial 
configuration and the size of the largest input. By applying again lemma [2] we can conclude 
that the program is feasibly reactive. 

6 Conclusion 

We have introduced the property of feasible reactivity in the context of a synchronous 
TT-calculus and we have provided static conditions that enforce it. The read-once condition 
builds on the cyclic behaviour of typical synchronous applications and allows to regard 
each thread as a function of its parameters and of the finitely many inputs it receives 
within a cycle. Reactivity is obtained as usual through a well-founded measure. In our 
case, this measure is tuned so as to ensure termination in time polynomial in the size of 
the values. Feasible reactivity requires that we control both the number and the size of the 
threads. This is achieved in particular by requiring that each thread at the beginning of a 
cyle is non-size increasing. To escape certain circular situations, a final condition requires 
a stratification of the signals in regions so that, intuitively, a value emitted on a certain 
region can be polynomially bounded in the size of the values read in lower regions. 

Various directions for further research can be mentioned. First, it is clear that an au- 
tomatisation of our approach relies on the possibility of synthesizing quasi-interpretations. 
Preliminaries experiences suggest that quasi-interpretations are not too hard to find in 
practice (see, e.g., [4]), but it remains to be seen whether this approach scales up to large 
programs. Second, one might wonder whether the read-once condition can be dropped. 
Currently, it plays an essential role in the proofs and its eventual removal seems to require 
new ideas on the abstraction of threads' execution. Third, our analysis is tailored towards 
the synchronous model and a signal based interaction mechanism. It remains to be seen 
whether similar analyses could be performed on different models of concurrent threads. 
For instance a model based on shared references and possibly asynchronous execution. 
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A Proof of lemma [T] 



Suppose a„_i, . . . , are natural numbers strictly smaller than a constant c. We define 

Blex{an-1, • • • , ao)(c) = Sj=o,...,n-iaiC* 

which is simply the value in base c of the sequence (a„_i, . . . , ao). We also define 

Bmsetidn-l, ■ ■ ■ , '3o)(c) = Sj=o,...,n-l'3'7r(i)C* 

where vr is a permutation over {0, ... ,n — 1} such that a^(o) < ■ ■ ■ < a,r(n-i)- The per- 
mutation TT is not uniquely determined but the definition of Bmset does not depend on its 
choice. 

Now suppose ttn-i, . . . , flo, bn-1, ■ ■ ■ ,bo are natural numbers strictly smaller than a con- 
stant c and note that Bst{an-i, ■ ■ ■ , ao){c) < c" for st G {lex, mset}. If (a„_i, . . . , oq) >iex 
(6„_i, . . . , feo) then clearly Biex{an-i, . . . , ao)(c) > Biex{bn-i, . . . , 6o)(c). Therefore, the 
length of a decreasing sequence with respect to the lexicographic order is bounded by 
c". 

On the other hand, suppose M = {|a„_i, . . . , ao|} >mset {l^n-i, • • • , ^o[} = Also 
assume that vr, tt' are permutations such that a^(o) < ■ ■ ■ < cin(n-i) and 67r'(o) < ■ ■ ■ < 
^7r'(n-i)- By definition of the multi-set order, we know that there is a non-empty multi- 
subset of M whose largest element is, say, a which is replaced in by another multi-set 
(with the same cardinality) whose largest element is strictly smaller than a. For instance, 
{|1, 2,5,5,5,71} >raset {|4, 4, 4, 4, 5, 7|} and {|1,2,5,5|} is replaced by {|4,4,4,4|}. Then for 
some k e {0, . . . ,n-l} we have: a^(„_i) = b^>(^n-i), ■ ■ • , a^(fc+i) = = cinik) > K'{k)- 

If follows that Bjnset{cin-i, ■ ■ ■ , Oo)(c) > B^setibn-i, • • • , &o)(c) and again the length of a 
decreasing sequence with respect to the multi-set order is bounded by c". 

B Abstraction 

We are given a finite system of recursive equations. Our goal is to analyse the possible 
computations of a program whose initial shape is i? = z/s (yli(vi) | ■ ■ ■ | 74„(v„)). We will 
assume that initially all thread identifiers are reset points, i.e., Ai, . . . ,An G Reset. We 
will proceed in two steps. First, we will abstract the program (the system of equations, 
actually) as a term-rewriting system. Second, we will show that the inequalities we have 
produced in table [T] guarantee feasible reactivity for the abstracted system and therefore 
for the concrete one. 

B.l Abstracting signal names 

The only information we will keep of a signal name is its type Sigp{t). Thus we know its 
region p and the type of the values it may carry. Formally, we select a distinct canonical 
constant, say s, for every type Sig^lt) and replace in the program every occurrence of 
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a signal name of the same type with s. Following this operation, we remove all name 
generation instructions us. As for the operation [si = S2]Pi,P2 that compares signal 
names, we will simply disregard it and systematically explore the situations where one of 
the programs Pi or P2 is executed. This is like replacing a conditional [si = S2]Pi, P2 with 
an internal choice Pi(B P2- 

B.2 Abstracting pattern matching 

Consider a pattern matching instruction [x >p] Pi, P2. As in the name comparison opera- 
tion, we will systematically consider the situations where Pi or P2 are executed. However, 
in the case where the first branch Pi is selected, we will remember that x must match the 
pattern p. 

B.3 Abstracting the input 

In section |H we have associated a distinct label (a variable) y with every input. We rely 
on this variable to compute 'abstractly' beyond an input. Namely, in the input operations, 
say, sy{x).P,A{f{\y s')) we will consider both the possibility where a signal is received on 
s and the computation continues within the instant with [y/x]P and the possibility that 
the computation suspends and resumes in the following instant with A{f{y')). 

B.4 Rewriting rules 

We will rely on rewriting rules of the shape 



to express the situation where the thread identifier A with parameters and inputs that 
match the patterns p emits within the same instant the value resulting from the evaluation 
of the expression e on the signal s. 

We will also rely on rewriting rules of the shape: 



to describe the situation where the thread identifier A with parameters and inputs that 
match the patterns p evolves into a continuation T. Here, the reduction symbol can be 
either ot ^-^ with the convention that we use — >■ to describe a situation where the con- 
tinuation T runs in the same instant and 1— > to describe a situation where the continuation 
T runs in the following instant. 

Moreover, the continuation T can have two shapes: 

• Either B ^ Reset, T = B^{e, Jb), and p = p', y^, 

• or B E Reset and T = AyB.-B"^(e, y^). 




se 



(3) 



^+(p) ^ T 



(4) 
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Thus the rule is dechned into four cases: the continuation T can run in the same instant 
or not and it can be a reset point or not. 

Here the notation e, (or p', y^) should be understood with a grain of salt. We just 
mean that the parameters can be partitioned into two groups one of which corresponds 
to the auxiliary variables of the thread identifier B; the parameters ys do not necessarily 
follow the others. In case ys is empty, we will take the convention that Ay^ is a dummy 
abstraction. As usual in term-rewriting, it is assumed that the variables free in the emitted 
expression e or the continuation T are contained in the variables in the patterns p (recalling 
that the abstraction of a signal name is treated as a constant). 



B.5 Generating the rewriting rules 

Given a finite system of recursive equations, the computation of the term rewriting rules 
follows quite closely the generation of the inequalities described in table [H Namely for 
each equation A{x.) = P we compute the function 71{P, A+(x, y^)) which is defined on the 
structure of P as follows: 



7^(p,A+(p)) 



[X>P] Pl,P2 
[Si = S2]PuP2 

(Pi I P2) 
US P' 

se 

B{e) 

sy{x).P',B{r) 



- case P of 



7^(Pl,A+([p/x]p))u7^(P2,A+(p)) 
7^(Pl,A+(p))u7^(P2,A+(p)) 
7^(Pl,A+(p))u7^(P2,A+(p)) 
7^(p^A+(p)) 

{A+{p)^se} 

{A+{p) P+(e, yb)} if P ^ Reset 
{A+ip) ^ Xys-B+ie, y^)} if P G Reset 

n{[y/x]P', A+(p)) U {A+(p) ^ P+(f, yb)} if P ^ Reset 

ni[y/x]P', A+(p)) U {A+(p) ^ AyB.P+(r, y^)} H B e Reset 



Here the abstracted variables Ay^ are supposed to be fresh. Also note that by the shape 
of the rules we can never rewrite an emission se or an abstraction such as AyB.P^(e, y^) 
since these terms never match the left-hand side of a rule. 

Example 10. We compute the term rewriting rules associated with our running examples. 
For exampleUl we derive: 

Cell^{s, q, i, y) — > Send~^{s, q, i, i, y) 
Send+is, g, £, cons(s', f), y) Send+{s_^q, £, i", y) 

Send'^{s, q, i, cons(s', i"),y) s'q 
Send^{s, q, i, £', y) ^ Xy' .Cell^ {s, next{q, y),i, y') 
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For example\^ we derive: 

Server'^ {s,y) t-^ Handle^ {s,y) Handle^ {s, cons{rec\{s' , x) , i')) Handle^ {s, i') 

Handle~^{s,cons{req{s',x),£')) s'f{x) Handle~^{s,£) Xy.Server~^{s,y) 

Finally, for example\^ we derive: 

y) H-» i?+(s, y) B~^{s, cons(n, i')) — > sn 

B+{s, cons(n, £')) ^ B+{s, f ) £) ^ \y.A+{s, y) 

C+{s) ^ sn C+{s) ^ XO-C+is) 

Remark 1. The reader might have noticed that the rewriting rules and the inequalities we 
have produced do not keep track of events that can happen in parallel like "emitting two 
signals and calling another thread". This information can be neglected because we have 
assumed we are handling finite control programs. In such programs a call to an identifier 
A may generate at most one call to another thread identifier ( either in the current instant 
or in the following one) plus a number of emissions that is bounded by a constant that 
depends on the size of the program only. Alternatively, we could have considered rewriting 
rules such as: 

v4+(p) ^ sTd II 5^62 II 5+(e,yB) 

where the right hand side carries a composition operator || to express the parallelism of the 
events. We note that this approach may produce exponentially more rules than the previous 
one because one needs to distribute the parallel composition through the non- determinism. 

C Analysis 

We proceed to an analysis of the abstracted system, i.e., of the term rewriting system. 
Table [2] summarizes the inequalities that are associated with each kind of term rewriting 
rule. 

A term rewriting rule describes a family of ground rewriting rules which is obtained by 
replacing the variables with ground substitutions a and by evaluating the ground expres- 
sions according to the evaluation axioms. We write 

if there is a term rewriting rule ^"""(p) — >■ se and a ground substitution a such that crp = v 
and ae V. In a similar way, we write 

A+ (v, u) ^ B+ (v', u) (or ( v, u) 2^ B+ ( v', u) ) 

if there is a term rewriting rule y4"'"(p, y^) i?+(e, y^) (or yl+(p,yB) i— i?+(r, y^)) and 
a ground substitution a such that ap = v, oys = u, and ae JJ, v' (or ar Jj. v'). Finally, we 
write 

A+(v) ^ AyB.S+(v', yb) (or A+(v) S AyB.S+(v', y^) ) 
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Rewriting Rules 



Associated Inequalities 



(Rl) A+{p)^se,s:Szg^it) 

{R3) A+(p)^AyB.5+(e,yB) 
{R5) A+{p)^XyB.B+{v,yB) 



B 



A+{p)ip >2 e 

A+{p,yB)>^B+{e,yB)iiA ^ 
A+(P,0)/^ >i 5+(e,0),, 
A+(p, yB)ip >2 5+(e, yB)ip if P G 
5^ 



^+(P)/X >i 



e, 



^+(p,0),^ >i 5^ 



[r,0) 



A+(p,yB)ip >2 5+(r,yB)ip if P G 



/A >i 



[r,0) 



Table 2: Inequalities associated with the term rewriting rules 



if there is a term rewriting rule A'^{p) — > AyB--B^(e, y^) (or A^(p) ^ AyB.i?+(r, y^)) 
and a ground substitution a such that ap = v, and ae JJ, v' (or af J| v'). 

Consider a ground rewriting rule representing a computation step. As we have seen this 
rule is an instance of a term rewriting rule. In turn, we have associated a set of inequalities 
with every term rewriting rule. Let us now assume we have an assignment q that satisfies 
all generated inequalities. Table [3] spells out what this means in terms of the ground 
rewriting rule. To this end, we need some notation to distinguish the parameters e of a 
thread identifier A'^ (remember that a list of variables ys or a list of patterns p is also a list 
of expressions and that f is a list of expressions too since, by definition, the dereferenced 
signals are replaced by variables). We distinguish between proper parameters and auxiliary 
parameters (those corresponding to an input). Among the former, we distinguish those 
in the set Ia (g/^) and the others (ejj). Among the latter, for a given region p, we 
distinguish those whose rank is smaller than p (e^p) and the others (e^^). To summarise, 
given a list of parameters e and a region p, we can always partition it into four parts: 
e = 6/^, ejj, ej^p, ej^. 

We also notice that y4+(e,yyi)/^ = A+(e, 0)/^ since by definition all auxiliary parame- 
ters are set to 0. Moreover, if A is a reset point then A~^{e, 0)/^ = A~^{e, 0) since for the 
reset points, Ia coincides with the proper parameters. Finally, we recall that the restriction 
J. p acts only on the auxiliary parameters. 



C.l Proof of lemma [2] 

We analyse ground reductions of the shape: 

Ativ,)^...^^AtM 

These reductions correspond to a sequence of recursive calls that happen within the same 
instant (and the same cycle). Suppose the maximum arity of a thread identifier A'^ in 
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^+(p) ^ se, s: Sig^it), p = Pi, P2, P2 = Pj^, 

g'(Pi,P2) = vi, V2, aeij^v 

q^A+{^^l,0)>v 

A'^iP,yB) ^ B+{e,yB), peW{B), p, ys = Pi, . • . , P4, Ys, Ye, 

Pi = Pia^ P2 = Ptj, P3 = Pip, P4 = Pj^, y5 = {yB)ip, ye = {yB)j^, 

e = ei, 62, ei = e/^, 62 = ejj 
(^2) o-(pi, • • • , P4, ys, ye) = vi, • • • , V4, U5, ue = v, u, a(ei, 62) JJ- (v'l, v'2) = v' 
q 1= (v, u) >st (v', u), if ^4 —p B, status{A) — status{B) — st, 
q h A+{v^, 0, 0, 0, 0, 0) > B+{v'-,, 0, 0, 0), 
q h A+(vi, V2, V3, 0, U5, 0) > B+{y\, v'2, Us, 0) 

yl+(p) AyB.5+(e, y^), p = pi, p2, Pi = p/^, 

(i?3) o"(Pi,P2) = vi, V2, o-ejj-v^ 

q^A+{vi,0)>B+{v',0) 

A^iP^ys) ^ B+{r,yB), peW{B), p, y^ = Pi, . . . , P4, y5, ye, 

pia: P2 = ptj, P3 = Pip, P4 = Pj^, ys = (yi3)ip, ye = (yB)i^, 

r = ri,r2, ri = rj^, r 2 = Fj^ 

0"(Pl,---,P4,y5,y6) = Vl, ■ ■ ■ , V4,U5,U6, 0-(ri,f2) J| v'l,v'2 

q h ^+(vi, 0, 0, 0, 0, 0) > 5+(v'i, 0, 0, 0), 
q h A+(vi, V2, V3, 0, Us, 0) > 5+(v'i, v'2. Us, 0) 

A+(p) AyB.fi+(r,yB), p = pi,p2, p^ = pj^, 
(-R5) ^(Pi, P2) = vi: af ij-v' 



pi = 

(i?4) 



Table 3: What the quasi-interpretation guarantees of a ground rewriting step 
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a given program is n. Moreover, suppose c is a bound on the size of the values Vj for 
j = 1, . . . ,k. Then the length k of the reduction sequence is 0(c"). To see this, notice 
that Ai >F Ai^i for i = 1, . . . k — 1. The inequality >f can be strict at most a constant 
number of times that depends on the program. Thus, it suffices to prove the assertion 
when Ai =F ^j+i, for z = 1, . . . , — 1 knowing that the thread identifiers have the same 
status st and the same arity n. By the existence of a quasi interpretation q (case (-R2) in 
table [3]), we have: 

q 1= Vi >,t V2 >st ■■■ >st Vfc 

By the properties of assignments, we know that the interpretation of a value is proportional 
to its size. Thus we can conclude by applying lemma [H 

C.2 Proof of lemma [3] 

We analyse ground reductions of the shape: 

/l^(vi) ^ - --^ A+{^rn) ^ AyA„+i.A++i(v, y^„+J 

where Ai G Reset, {— and the last reduction is optional. These reductions 
correspond to a sequence of recursive calls that start with a reset point and continue 
within a cycle (but may span several instants). Optionally, these reductions may reach 
another reset point. Let us denote with (vj)/^ the parameters whose indexes correspond 
to Ia ■ Recall that if i? is a reset point then Ib coincides with the proper parameters. By 
the cases (-R2) and (/24) in table [3] we have: 

g h ^^((viK, 0) > ■ ■ ■ > A+((v„),,„, 0) . 

Moreover, at the last optional step, by inspection of the cases (-R2) and (-R4) in table [3], 
we deduce: 

gh^;t((v„)/,„,0)>A+^i(v,0). 

In other terms, we know that if starting from a call v4(v) we arrive at a call -B(u) then 
q 1= A'^{v,0) > B^{{u)ig,0). In particular, we see that, up to the quasi-interpretation, 
the initial configuration A(v) dominates all the following configurations at the beginning 
of a cycle. 

C.3 Proof of lemma [4] 

We analyse ground reductions of the shape: 

At{Y^)^ >A^{^r,,)^sv 

where Ai G Reset, -^G {^, p G W(v4„), and the last reduction Rl is optional with s 
also belonging to region p. 
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These reductions correspond to a sequence of recursive calls that start with a reset point 
and continue within a cycle (but may span several instants). Optionally, these reductions 
may reach a point where a value is emitted. 

Let c be a bound on the size of the parameters at the beginning of the computation 
and the size of the values emitted by the environment at the beginning of an instant. Each 
vector Vj can be decomposed in v'j, \" j where \" j correspond to the auxiliary parameters 
on regions whose rank is not smaller than p's. Applying cases (-Ri), (-R2) and (-R4) in table 
[31 we deduce: 

g|=A+(v'i,0)>--->A+(v'„,0)>t; 

Therefore we establish: 

Property A The size of the emitted value v is polynomial in c and the size of the values 
read in regions whose rank is smaller than p's. 

How many times can a value be emitted on a region p within an instant? Between 
two calls, a thread can only emit a number of messages which is bounded by a constant. 
Therefore, as in lemma [21 it is enough to focus on the length of computations that happen 
within an instant. We focus on ground reductions of the shape: 

A+(vO-----A+K)^-..^A+(v„) 

where Ai G Reset, -^G {^, i-^}, Ak =f ■ ■ ■ =f An, st = status{Ak) = ■ ■ ■ = status{An), 
and p e yV{Aj), for j = k, . . . , n. 

These reductions are a particular case of those considered above, where we suppose 
that after an initial sequence of recursive calls the computation reaches a series of calls 
among thread identifiers that can mutually call each other. Let u be the arguments that 
correspond to the auxiliary parameters of A'^ for j = k, . . . ,n. Each vector Vj can be 
decomposed in v'j, u for j = 1, . . . , ra. 

Applying cases (-R2) and (-R4) in table [3l we deduce: 

q 1= A+(vi)ip > ■ ■ ■ > A+iVk, (u)i„ 0)) > A+(v'„, (u)i„ 0)) 

Property B The parameters v'j for j = k, . . . ,n are polynomial in c and the size of 
values read in regions whose rank is smaller than p's. 

Remember that by construction there is always a region p in yV{Ak). Therefore, prop- 
erty B guarantees that the size of the proper parameters of a call to a thread identifier is 
under control. 

Now, applying case (-R2) in table [3l we deduce: 

q \= (v'fc, u) >st ■■■ >st (v'„, u) 

Because the values u are constant, we are forced to decrease the parameters v'j with respect 
to the status st. By Property B, these parameters are polynomial in c and the size of the 



30 



values read in regions whose rank is smaller than p's. By lemma [21 we know that the length 
of the sequence is polynomial in the size of the largest parameter. Thus we compose the 
polynomials to obtain the following. 

Property C The number of times a value can be emitted within an instant in a region 
p is polynomial in c and the size of values read in regions whose rank is smaller than p's. 

It remains to analyse how in our model the size of the values read from a region depends 
on the size of the values emitted in that region. We have the following property. 

Property D The values read from a region p are the concatenation of some of the values 
emitted in the region p within the same instant. 

We can now proceed by induction on the rank of region p to show that the size of the 
concatenation of some of the values emitted in the region p is polynomial in c. At rank 0, 
we use directly properties A and C noticing that the concatenation of polynomially many 
values whose size is polynomial in c produces a value which is again polynomial in c. At 
rank n + 1, we use again properties A and C and the inductive hypothesis. Obviously the 
degree of the polynomial will depend on the highest rank of a region which depends on the 
program only. 

C.4 Proof of theorem [1] 

We can now conclude our proof. Since the size of the computed values is polynomial in 
c, we can apply lemma [2] and derive that each instant terminates in time polynomial in c. 
Thus the existence of a quasi-interpretation entails feasible reactivity. 
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